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Abstract. In the evolving landscape of the Internet of Medical Things 
(loMT) cybersecurity, traditional security measures often struggle with 
complex vulnerabilities, which are crucial due to the sensitive nature 
of patients’ data. This article addresses this challenge and presents a se- 
mantic framework to enhance cybersecurity on IoMT. It proposes a novel 
MIoT (Medical Internet of Things) ontology that integrates knowledge 
from diverse sources and employs RDF (Resource Description Frame- 
work) formalism for the semantic representation of medical devices and 
their related aspects. The framework also utilizes semantic modelling 
to enrich data annotation and knowledge base development, supporting 
the detection of vulnerabilities in medical IoT (Internet of Things) net- 
works. Additionally, the framework generates a knowledge graph that 
stores Cyberthreat Intelligence (CTI) for medical IoT networks, enhanc- 
ing vulnerability detection, while underscoring the significance of auto- 
mated reasoning over aggregated knowledge. 
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1 Introduction 


Smart technologies have reshaped how humans engage with their environment, 
offering unprecedented convenience, efficiency, and automation. From smart homes 
and cities to the expansive Internet of Things (IoT), these innovations aim to 
intelligently integrate digital and physical systems. Artificial intelligence (AI) 
serves as a pioneering force in this technological evolution, profoundly impact- 
ing daily life. Its integration into the IoT has transformed interactions, enhancing 
service quality, efficiency, and overall productivity [1]. 

The Internet of Medical Things (IoMT) is a specific subset of IoT that is 
particularly transformative. It refers to the interconnected system of medical 
devices, software applications, health systems, and services that communicate 
with each other and with healthcare IT systems. The IoMT encompasses wear- 
able devices such as fitness trackers, implanted devices such as heart monitors, 
and even hospital-based systems like surgical robots. The primary goal is to 
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optimize patient care, enhance the quality and effectiveness of treatments, and 
increase the overall efficiency of healthcare delivery [2]. 

Since IoMT devices often deal with sensitive personal health information, 
they are potential targets for cyberattacks. The security concerns include data 
breaches, unauthorized access, and the potential for cybercriminals to manipu- 
late medical devices, which could lead to life-threatening outcomes. For instance, 
in 2022, the U.S. Department of Health and Human Services reported 125 digi- 
tal data breaches in healthcare nearly doubling from the previous year [3]. The 
upward trend persisted into early 2023, with 145 reported incidents in health- 
care in the first quarter [4]. In March 2023, a report from HIPAA (The Health 
Insurance Portability and Accountability Act) highlighted a concerning pattern, 
with data breaches affecting over 4 million patients [5]. 

However, the integration of IoMT into healthcare systems brings forth sig- 
nificant security concerns. The rapid alteration in IoT applications in healthcare 
makes it challenging for cyber threats and vulnerabilities in knowledge organiza- 
tion systems. Very few systems can work in IOMT to model it in terms of interop- 
erability and heterogeneity. In the case of medical devices, when any cyber-attack 
(ie. ransomware or phishing) has occurred, the organization systems are not well 
developed to provide semantic knowledge to improve cyber resilience. This pa- 
per provides the basis for developing the knowledge graph-based modeling for 
vulnerability detection in the IoMT setting, that is ultimately exploit attacks. 

The rest of the paper is organised as follows. Section 2 discusses ’Related 
Work’, followed by Section 3, which presents our Proposed Framework for Vul- 
nerability Detection Utilizing Knowledge Graph-Based Modeling. Section IV 
provides a discussion. The conclusion and future work are presented in Section 


V. 


2 Related Work 


Several researchers work in IoMT settings and have proposed systems to enhance 
the security and privacy of patients by using different techniques such as ensem- 
ble learning, federated learning, blockchain machine learning and deep learn- 
ing methods. Alsubaei et al. [6] proposed a Python-based recommendation tool 
utilizing an MIoT ontology, tailored to stakeholder-specific needs and scenario- 
based approaches. The tool’s effectiveness was assessed through a vulnerability- 
based method and an expert-based method, involving the evaluation of 40 vul- 
nerabilities from the NVD (National Vulnerability Dataset) dataset across 11 
scenarios and incorporating recommendations from seven cybersecurity gradu- 
ates. Their tool faces a few challenges, particularly in the complexity of loMT 
environments, ensuring adaptability to evolving IoMT solutions, and the poten- 
tial difficulty for certain stakeholders, such as medical professionals and patients, 
to comprehend its recommendations. Additionally, it requires regular updates to 
address new IoMT solutions and security threats. 

Recently, Khan et al., [7] proposed a Secure Ensemble Learning-Based Fog- 
Cloud Approach for Cyberattack Detection in IoOMT, which addresses the se- 
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curity issues in IOMT networks caused by cyberattacks. One of the limitations 
of this research is that their approach was evaluated using a simulated envi- 
ronment, which may not accurately reflect the real-world performance of their 
approach. Additionally, the proposed approach may not be effective against new 
and unknown cyberattacks that have not been included in the training dataset. 
The research presented by [8] focuses on Federated Learning (FL), Artificial 
Intelligence (AI), and Explainable AI (XAI) in the context of intelligent health- 
care. The primary aim is to address vulnerabilities and challenges in traditional 
healthcare systems that rely on centralized data sharing. In terms of challenges 
they faced, these include privacy issues, difficulties in aggregating user data from 
different sources, the potential failure of cloud systems in personalized settings, 
and the sensitivity of healthcare data. 


The survey paper proposed by Jameel Almalki [9] focuses on analyzing cur- 
rent state-of-the-art blockchain technologies and their applications in loT-based 
healthcare systems. It acknowledges the diversity in both the dimensions of exist- 
ing blockchain approaches and the requirements of IoT-based healthcare appli- 
cations. The main limitations identified include unresolved security issues such 
as hostile attacks and authentication challenges, ongoing issues with blockchain 
delay, and a lack of in-depth performance evaluation of the system. In another 
survey [10], researchers focus on exploring the use of modern technologies like 
the Internet of Things (loT), 5G networks, artificial intelligence (AI), and big 
data analytics in enhancing healthcare solutions. It emphasizes the need for con- 
tinued research to enhance the security aspects of modern healthcare systems, 
thereby addressing the prominent open-ended research challenges identified in 
the survey. Mahmood et al. [11] conducted a Systematic Literature Review fo- 
cused on developing a security model for the IoOMT. This involved analyzing 
major security models and conducting a meta-analysis to prioritize risks. The 
resulting model includes a Python-based interface for identifying and managing 
threats. However, the article recognizes the necessity for ongoing enhancements 
to the model, acknowledging the dynamic nature of security threats in the OMT 
sector. 


Sills et al., [12] aim to address security vulnerabilities in medical IoT devices 
by creating a comprehensive repository of Cyber Threat Intelligence (CTT), en- 
abling the use of Al-based cyber defence systems. For this purpose, they proposed 
a system that generates CTI from sources such as manufacturer alerts, and ICS- 
CERT!, and augments it with data from Wikidata and FDA?’s AccessGUDID. 
The combined information forms a Cybersecurity Knowledge Graph (CKG) that 
is further enhanced through graph embeddings. However, the lack of extensible 
big data resources for medical device vulnerabilities necessitates the need for 
knowledge augmentation, and the complexity of connecting diverse data sources 
in the CKG is one of the challenging tasks. Secondly, security risks associated 
with medical IoT devices, such as data breaches and device compromise, high- 
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light the urgency of creating a reliable knowledge base to enhance cybersecurity 
measures in healthcare settings. 

Apart from this, the literature focused on the key research areas in the field 
of IoMT to address security and privacy concerns [13], [14], [15]. Additionally, 
there’s a growing focus on developing regulatory frameworks and standards [16], 
[17] to ensure IoMT devices meet minimum security requirements [18], [19]. 
However, they lack to provide semantic information for medical devices in terms 
of vulnerability detection. In contrast to existing techniques, this paper proposes 
a semantic framework to facilitate partial automation in improving the security 
posture of medical devices in remote patient monitoring (RPM). At the heart of 
this framework will be a domain ontology, which captures the semantics of the 
concepts and properties of the main security aspects of IoT devices used in such 
systems. This will be complemented by a security ruleset, complex queries, and 
a mechanism to enable automated reasoning over the aggregated knowledge. 


3 A Proposed Framework for Vulnerability Detection 
Utilizing Knowledge Graph-Based Modeling 


In this section, we present our proposed framework for vulnerability detection. 
This framework integrates the Internet of Medical Things ontology, a knowledge 
graph enriched with medical device data, and the incorporation of the National 
Vulnerability Database (NVD) CVE information via an API®. This methodol- 
ogy empowers the framework to offer predictions about vulnerabilities, thereby 
enhancing the security of remote patient monitoring systems. Figure 1 shows the 
working mechanism of our proposed approach. The details of each component 
including data storage and processing are provided in the following sections. 


3.1 Knowledge Acquisition 


The knowledge acquisition phase involves gathering comprehensive background 
knowledge from different sources such as literature, existing ontologies, stan- 
dards, vocabularies, and manufacturers. This background knowledge is related 
to the fields of cybersecurity and IoMT, particularly remote patient monitoring. 
This process includes identifying commonly used medical devices in the lOMT 
settings, understanding potential vulnerabilities and attacks targeting these de- 
vices, and determining the relevant security requirements. Standards and vocab- 
ularies such as RDFs (Resource Description Frameworks) and schema.org are 
utilized to identify and represent the necessary data for developing the domain 
ontology IoMT. Data related to different types of IoT devices used in remote 
patient monitoring, potential cyberattacks, and their corresponding data types 
and functionality is collected. Extensive literature surveys are conducted to re- 
view existing ontologies in the cybersecurity field, such as the VulOntolog [19], 
which provides valuable concepts and properties that can be incorporated into 
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Fig. 1. A Semantic Framework for Vulnerability Detection based on Knowledge Graph 
(Source of Images: Google). 


the loMT ontology for effective cybersecurity in remote patient monitoring sys- 
tems. 


3.2. Knowledge Management 


Knowledge management plays a crucial role in our proposed framework, utilizing 
reasoning to infer new facts within the ontology. The framework employs rule- 
based reasoning, wherein rules are defined to describe logical conditions and to 
predict hidden relationships within the ontology. Knowledge management can 
be divided into two main parts, as follows: 


MIoT Ontology The development of an MIoT ontology for cybersecurity in re- 
mote patient monitoring systems starts with data acquisition, followed by defin- 
ing relevant concepts and properties and annotating the data with semantic 
information. The MIoT ontology is central, incorporating healthcare expertise 
and literature to define the semantics of medical devices, vulnerabilities, and ser- 
vices. It uses RDF formalism for better representation and supports vulnerability 
detection in Medical IoT by enhancing data access, sharing, and automated rea- 
soning. This ontology includes various concepts such as medical devices, vulner- 
abilities, users, etc., and their relationships, contributing significantly to lIoOMT 
security. The key purpose of MIoT ontology is: 
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Data Annotation: This involves annotating data with semantic information using 
the MIoT ontology to enhance the semantics of the RPM domain. The ontology 
encompasses concepts related to vendors, products, medical devices, manufac- 
turers, firmware, versions, vulnerabilities, exploits, and affected components of 
medical devices, including OS, hardware, and applications. 


Knowledge Base Development: This process utilizes concepts, instances, and 
their relationships derived from knowledge acquisition. The knowledge base com- 
prises a collection of data points (instances) and the categories or ideas they 
represent (concepts), all interconnected through relationships. This structure is 
vital for organizing and interpreting complex, diverse information in a meaning- 
ful way, particularly in domains like IoMT. 


Reasoning Engine Extending the domain ontology with rules and complex 
queries enables reasoning capabilities that go beyond simple data retrieval. It 
can identify potential vulnerabilities, assess the impact of vulnerabilities, and 
recommend mitigation strategies based on the knowledge encoded within the 
ontology and the rules. 

For instance, this framework may employ a rule that associates a particular 
firmware version with a known vulnerability based on the NVD dataset. “This 
rule allows us to identify all devices with the same firmware, version as potentially 
vulnerable”. By utilizing complex queries, we can further analyse the network 
topology, device configurations, and other relevant factors to assess the potential 
impact of these vulnerabilities on the overall system. 

Our framework facilitates automated reasoning over aggregated data from 
various sources, such as the MIoT ontology, CVE information, and any other 
external source. In rule-based reasoning, rules are used as a fundamental mech- 
anism to draw conclusions or make decisions. Rule-based systems evaluate data 
or facts against these rules to infer new information or make decisions. 

For example: 

X= CardiacRhythmManagement is a MedicalSensor 

Y= MedicalSensor is a subClassOf MedicalloTDevice 

Z= CardiacRhythmManagement is a MedicalloTDevice 

In the rule-based systems, this transitive property shows If X=Y and Y=Z 
then X=Z. 

In rule-based reasoning, software agents efficiently apply predefined rules 
to data, identifying relevant patterns and executing corresponding actions or 
conclusions. Their automated processing capabilities are essential for decision- 
making or in environments where human expertise needs to be emulated or 
augmented. For example, a rule state that: 

“If a medical device firmware version x from the vendor y is known to have a 
specific vulnerability (based on historical data or NVD CVE information), then 
all devices with the same firmware version are considered vulnerable”. This rule 
is represented in SWRL (Semantic web Rule Language) and DL (Description 
Logic) syntax as follows: 
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SWRL Rule 


Product(?product) A hasFirmware(?product, ?firmware) \ has Vendor 
(?product, ?vendor) \ hasVulnerability(?firmware, true) \ Product 
(?otherProduct) A hasFirmware(?otherProduct, ?firmware) \ has Vendor 
(?otherProduct, ?vendor) \ DifferentFrom(?product, ?otherProduct) 

— is vulnerable(?product, true) 


DL Axioms 


Va. Product(x) \ Af. hasFirmware(x, f) A dv. has Vendor(z, v) 
Adw. has Vulnerability(f,w) A w = true > is Vulnerable(a, true) 


This axiom shows that, if a product has firmware with a vulnerability, then the 
product is vulnerable. 


VaVy.V fu. Product(x) \ Product(y) \ hasFirmware(x, f) \ hasFirmware(y, f) 
AhasVendor(x,v) \ has Vendor(y,v) Ax 4 y > is Vulnerable(«, true) 
Ais Vulnerable(y, true) 


This axiom shows that, if two different products have the same firmware and the 
same vendor, then both products are vulnerable. 


3.3. Visualization and Query Interface 


The ontology data is stored in a knowledge graph, which also includes the data 
source NVD (National Vulnerability Database) with its Common Vulnerabilities 
and Exposures (CVE) data to display vulnerabilities associated with medical 
devices in the ontology. The knowledge graph provides visualization capabilities, 
allowing users to view the relationships and connections within the graph. Ad- 
ditionally, it offers a SPARQL endpoint that enables users to query the graph 
and assess the effectiveness of the framework. It consists of three parts: 


MIoT Knowledge Graph A knowledge graph is a graph-based data struc- 
ture that represents knowledge through entities, relationships, and attributes. It 
offers a flexible way to organize, query, and enhance understanding of data. In 
this framework, a knowledge graph is proposed, based on the developed MIoT 
ontology. The initial version of MIoT ontology is published in [21]. Utilizing se- 
mantic modelling and the NVD dataset, this cybersecurity knowledge graph is 
populated with Cyber Threat Intelligence (CTI) about vulnerabilities in medical 
devices within IoT networks. 

In this research, we are using the OntoText GraphDB * tool to generate the 
MIoT knowledge Graph that stores the CTI of IloT networks in medical devices. 
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This facilitates the detection of vulnerabilities, thereby strengthening the pro- 
tection of patient data. Figure 2 illustrates the domain-range graph for the MIoT 
knowledge graph. Where it showcases the various concepts (i.e., Vulnerability, 
Vendor, Services etc.,) and their relationships (i.e., hasVendor, byUsingService, 
usingDevice etc.,) with the concept Product. 
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Fig. 2. The Domain-Range graph for the concept Product. 


Integration with Industry Standards The National Vulnerability Database 
(NVD) is a U.S. government repository that provides standards-based vulnera- 
bility management data. This includes details on security-related software flaws, 
misconfigurations, product names, and impact metrics. The NVD is essential for 
the IT security community, offering a comprehensive database to evaluate and 
manage cybersecurity risks linked to known vulnerabilities in software products 
and systems. It serves as a crucial tool for cybersecurity professionals to identify 
and address vulnerabilities in network and software environments. 

In our framework, we utilize the NVD dataset for a detailed analysis of vul- 
nerabilities in medical IoT networks. The NVD offers a standardized collection 
of known vulnerabilities and exploits in such settings. Our integration of this 
dataset allows us to identify specific vulnerabilities in these systems. We seam- 
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lessly incorporate the NVD by utilizing an API to access up-to-date information 
on CVE and the Common Vulnerability Scoring System (CVSS). The NVD API 
allows users to access NVD data and allows the integration of this information 
into our framework programmatically. The API can be used to automatically up- 
date security systems with the latest vulnerability information, including security 
checklists, security-related software flaws, product names, and impact metrics. 
This ensures that our framework is continuously updated with the latest data 
from the NVD, providing ongoing protection against new threats in remote pa- 
tient monitoring IoT networks. 


Access the SPARQL Endpoint The SPARQL endpoint enables access to 
the knowledge graph’s interface, allowing users, including patients, doctors, and 
healthcare providers, to visualize, query, and update data. For example: 


SELECT ?Product ?Condition ?y ?p ?e 
WHERE { 
?Product a base:MedicalSensor . 
?Product MIoT:monitor ?Condition . 
?x base:vulnerabilityID 7?y. 
?x base:hasPublished ?p. 
?x base:hasExploit 7e. 
filter (?y = "CVE-2023-1729") 
} 


The above-mentioned query retrieves all those products whose CVE ID is CVE- 
2023-1729, along with other relevant information such as functionality provided 
by the product, its published date, and exploit. 


SELECT ?Product ?Condition ?y ?p ?w 
WHERE { 
?Product a base:MedicalSensor . 
?Product MIoT:monitor ?Condition . 
?x base:vulnerabilityID 7?y. 
?x base:hasPublished ?p. 
} 


This query retrieves those products with the name of medicalSensor along with 
their functionality, VulnerabilityID and when it was published. 


4 Discussion 


In the rapidly evolving domains of IoT and cybersecurity for IoMT, existing 
security measures often fall short, especially in handling complex vulnerabilities 
with significant semantic implications. These shortcomings are critical due to the 
sensitive nature of patient data, underscoring the need for improved, automated 
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security solutions on the Internet of Medical Things (IoMT). Several ontologies 
addressing various aspects of this domain have been published in the realm of 
IoT and Medical Things (IoMT) and cybersecurity to [6], [20], [22], [23] among 
others. However, our proposed research introduces a comprehensive ontology 
that represents medical devices, users, vendors, vulnerabilities, and more within 
the RPM cybersecurity context. This ontology aims to capture the domain’s 
semantics and establish meaningful relationships between entities. 

Additionally, a significant deficiency of traditional security measures is their 
lack of automation. This issue becomes particularly problematic in the rapidly 
changing cybersecurity landscape, where new vulnerabilities constantly emerge. 
Without automated systems to quickly identify and respond to these threats, 
there’s a delay between the emergence of a vulnerability and its mitigation. This 
delay allows attackers to exploit these weaknesses before users or administrators 
become aware of them. This situation underscores the need for more dynamic, 
intelligent, and automated security solutions in the IoMT field, capable of proac- 
tively addressing threats in real-time to protect sensitive patient data. Existing 
knowledge graphs populate NVD CVE information from JSON/XML4° files of 
the NVD dataset. Our framework stands out by using an API to access and 
incorporate data, ensuring regular updates and the ability to address emerging 
vulnerabilities. 


5 Conclusion and Future Work 


In this research article, we propose a semantic framework that combines the 
Medical Internet of Things (MIoT) ontology with a knowledge graph enriched 
by medical device data and integrates CVE information from the National Vul- 
nerability Database (NVD) via an API. Our approach enables the system to 
detect vulnerabilities, thereby improving the security of remote patient monitor- 
ing systems. The knowledge graph concisely presents Cyber Threat Intelligence 
(CTI) information, offering advantages over traditional relational databases. In 
addition, we demonstrate the importance of automated reasoning over aggre- 
gated knowledge by presenting example rules. Future work will focus on employ- 
ing a reasoning engine to perform automated reasoning, aimed at identifying 
vulnerabilities. This will allow the framework to generate advanced alerts about 
vulnerabilities and potential attacks. 


Disclosure of Interests. The authors declare no conflict of interest. 
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